On Tue, Mar 18, 2003 at 12:26:41PM -0800, Peter Jay Salzman wrote:
> ok, let's forget the issue of why the army is using IIS to begin with.
> that's a whole different issue. i'm wondering who gets paid to sit
> around and administrate army webservers, and why it didn't occur to them
>
> "hey, wait a minute. WE'RE running IIS on win2k servers!"
Okay...
Two perspectives:
1) This is a problem that was being exploited by crackers and was learned
about in "white hat" circles by analyzing how the crackers were getting into
the systems. Knowledge of the hole only started being available last week
(wednesday, IIRC) and CERT and MS's mailing lists (err, and ISS) only sent
out info with links to the patch on Monday.
2) It's one of those "security hotfixes", meaning that it's almost totally
untested. This means that at an institution of meaningful size the correct
procedure is to deploy the hotfix on a testbed server, test that everything
works, and only then deploy it on the live server. (or rotate between
testbed and live; depends on your setup) -- that could take most of a day.
When the fix is out before the exploit, it's reasonably easy... It's also
easier when dealing with a patch-providing organization that can be
trusted to do a bit of testing on their own and where individual components
of the system can be trusted to be upgradeable without affecting the rest of
the system. (in other words, if I upgrade the web server on a linux box, I
don't need to test the mail server; if I upgrade the web server on a win2k
box, I *must* check the mail server, as well as even less vaguely related
things.)
(In other words: give MS a hard time, not the poor overworked army sysadmin
who's supposed to maintain 500 boxes, of which the one that got hacked is
more than halfway down the priority list.)
--
Eric Eisenhart <*@eric.eisenhart.name>
http://eric.eisenhart.name/
IRC: Freiheit@freenode, AIM: falsch freiheit, ICQ: 48217244